HIPAA Blog

[ Wednesday, December 30, 2015 ]

HIPAA's Repeat Offenders Often Avoid Punitive Action, say ProPublica and NPR (in a co-produced article). The article admits that the repeat violators (CVS and the VA get some heavy discussion, although the article notes but then ignores the fact that CVS did pay one huge penalty) tend to be large organizations with widespread operations. That's true, but what's also true is that their workforces tend to be either low-pay/high-turnover or hard to fire, and a lot of the problems they suffer are not from intentional data thievery or "being evil" but from employees acting out of stupidity, curiosity, or greed (all of which actions are likely in direct violation of well-publicized policies of the employers).

Still, more work needs to be done. And as has been evident over the last few months with so many big HIPAA settlements being announced, big fines and public announcements do have a ripple effect in the industry and have a tendency to "focus the attention" on fixing issues before they cause damage.

And hidden in the middle of the article is a nice little database tool from ProPublica: HIPAA Helper, which helps you figure out who the repeat offenders are. You can search the HIPAA "wall of shame" (go to "advanced options") by name of entity, but sometimes the common name of the entity isn't its official name, either of of which could attach to the "big breach" filing.

Two points about CVS: I've actually had issues getting CVS to appropriately deal with the consequences of what they acknowledged was a serious breach of my client's PHI, although I'd say the problem was more with their counsel trying to act tough. I do know that CVS got tagged for $2.25 million for the Indianapolis drug store dumpster-diving case that also netted Walgreens and Rite Aid $1 million fines each. I've never been able to figure out why CVS had to pay more than twice as much as the other two drug stores, but my suspicion is that "strategic legal decision-making" might explain part of it (IYKWIMAITYD).

Second, I also know that, in connection with the $2.25 million HIPAA fine, CVS also reached a settlement agreement with the FTC over its lax security of personal information. In connection with the HIPAA settlement, CVS had to bring in an outside agency to review their privacy and security procedures for 3 years; in connection with the FTC settlement, CVS has to report to the FTC every 2 years, for 20 years, on its privacy and security activities. 20 years is a long time. . . .